diff options
| author | James Moger <james.moger@gmail.com> | 2016-12-14 17:01:10 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-12-14 17:01:10 -0500 |
| commit | 4ece397d714946697bf911221b6168356a6c44c7 (patch) | |
| tree | 11fd1ef945527fd713dfa4b9705dd8a51ca5fc64 /src/main | |
| parent | bf179e6e1a1cf422076af2d5ef471f85a7ecf6e2 (diff) | |
| parent | 60099a42faf7c34edb4651253cdb1a7723fbf029 (diff) | |
| download | gitblit-4ece397d714946697bf911221b6168356a6c44c7.tar.gz gitblit-4ece397d714946697bf911221b6168356a6c44c7.zip | |
Merge pull request #1167 from fzs/secureCookies
Secure cookies
Diffstat (limited to 'src/main')
| -rw-r--r-- | src/main/java/com/gitblit/GitBlitServer.java | 3 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/manager/AuthenticationManager.java | 14 |
2 files changed, 16 insertions, 1 deletions
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index d56d9c0c..6123a872 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -375,7 +375,8 @@ public class GitBlitServer { HashSessionManager sessionManager = new HashSessionManager(); sessionManager.setHttpOnly(true); // Use secure cookies if only serving https - sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0); + sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) || + (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) ); rootContext.getSessionHandler().setSessionManager(sessionManager); // Ensure there is a defined User Service diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 49787631..0a4d8ed7 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -608,6 +608,11 @@ public class AuthenticationManager implements IAuthenticationManager { userCookie = new Cookie(Constants.NAME, cookie); // expire the cookie in 7 days userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7)); + + // Set cookies HttpOnly so they are not accessible to JavaScript engines + userCookie.setHttpOnly(true); + // Set secure cookie if only HTTPS is used + userCookie.setSecure(httpsOnly()); } } String path = "/"; @@ -622,6 +627,15 @@ public class AuthenticationManager implements IAuthenticationManager { } } + + private boolean httpsOnly() { + int port = settings.getInteger(Keys.server.httpPort, 0); + int tlsPort = settings.getInteger(Keys.server.httpsPort, 0); + return (port <= 0 && tlsPort > 0) || + (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) ); + } + + /** * Logout a user. * |